Presentation is loading. Please wait.

Presentation is loading. Please wait.

High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005"— Presentation transcript:

1 High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005 Klaas.Wierenga@surfnet.nl

2 High-quality Internet for higher education and research Contents Why 802.1X and eduroam? Implementation –Requirements –Technology –Policy Status eduroam Future of eduroam Conclusions

3 High-quality Internet for higher education and research But first… What is a federation? Is eduroam a federation? Is it a service? Is it a brand? Or…

4 High-quality Internet for higher education and research Why 802.1X and eduroam?

5 High-quality Internet for higher education and research Wireless LAN is unsafe root@ibook:~# tcpdump -n -i eth1 19:52:08.995104 10.0.1.2 > 10.0.1.1: icmp: echo request 19:52:08.996412 10.0.1.1 > 10.0.1.2: icmp: echo reply 19:52:08.997961 10.0.1.2 > 10.0.1.1: icmp: echo request 19:52:08.999220 10.0.1.1 > 10.0.1.2: icmp: echo reply 19:52:09.000581 10.0.1.2 > 10.0.1.1: icmp: echo request 19:52:09.003162 10.0.1.1 > 10.0.1.2: icmp: echo reply ^C

6 High-quality Internet for higher education and research Users are mobile Access Provider Cable University A WLAN University B WLAN Access Provider ADSL International connectivity Access Provider WLAN Access Provider GPRS/ UMTS SURFnet backbone

7 High-quality Internet for higher education and research Requirements Identify users uniquely at the edge of the network –No session hijacking Enable guest usage Scalable –Local user administration and authentication –No exponential administrative load Easy to install and use –At the most one-time installation by the user Open –Support for all common operating systems –Non-proprietary Secure

8 High-quality Internet for higher education and research Possible solutions Open access: scalable, unsafe MAC-addres: not scalable, unsafe WEP: not scalable, unsafe European research networks: Web-gateway+RADIUS: scalable, unsafe VPN-gateway: not scalable, safe 802.1X+RADIUS: scalable, safe, the future (WPA, WPA2)

9 High-quality Internet for higher education and research Implementation

10 High-quality Internet for higher education and research eduroam architecture Security based on 802.1X (or web-based redirect) –Different authentication mechanisms possible –Identity-based networking –Mutual authentication possible (by using the right EAP-types: PEAP, TTLS, TLS) –Protection of credentials –Integration with VLAN assignment –Provides basis for new wireless security standards WPA and 802.11i Roaming based on RADIUS proxying –Remote Authentication Dial In User Service –Transport-protocol for authentication information Trust fabric based on: –Technical: RADIUS hierarchy –Policy: Documents/contracts that define the responsibilities of user, institution, NREN and the EduRoam federation

11 High-quality Internet for higher education and research Secure access to the network with 802.1X data signaling RADIUS server University A Internet Authenticator (AP or switch) User DB jan@student.university_a.nl Student VLAN Commercial VLAN Employee VLAN Supplicant 802.1X (VLAN assigment)

12 High-quality Internet for higher education and research eduroam RADIUS server University B RADIUS server University A SURFnet Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Gast piet@university_b.nl Student VLAN Commercial VLAN Employee VLAN data signalerling Trust based on RADIUS plus policy documents 802.1X (VLAN assigment)

13 High-quality Internet for higher education and research Tunneled authentication (PEAP/TTLS) Uses TLS/SSL tunnel to protect data –The TLS tunnel is set up using the server certificate, thus authenticating the server and preventing man-in-the- middle attacks –The user sends his credentials through the secure tunnel to the server, thus authenticating the user Can use dynamic session keys for ‘in the air’ encryption © Alfa&Ariss

14 High-quality Internet for higher education and research Status

15 High-quality Internet for higher education and research Status of eduroam Over 400 institutions in Europe, Australia and Taiwan USA, Belgium, Sweden will follow shortly

16 High-quality Internet for higher education and research Members FCCN was among the first eduroam participants

17 High-quality Internet for higher education and research Future

18 High-quality Internet for higher education and research Monitoring: usertracking & weathermap But what to do with the info?

19 High-quality Internet for higher education and research Technology: bypassing the hierarchy overhead? European Server.nl uva.nl Access Point tomasz@uni.torun.pl Access Point.ac.uk….pl Uni.torun.pl User database AA traffic goes through all intermediate entries All links are peer-to-peer agreements / static routes / p2p secure DIAMETER? DNSsec? Radsec

20 High-quality Internet for higher education and research Roaming policy Minimal security level Levels of assertion Who can SLA’s Incident response Policy board

21 High-quality Internet for higher education and research Usability: standardisation, localisation, expansion Standardisation –Limited set of encryption and SSID choices Encryption: 802.1X+WEP, WPA+TKIP, WPA2 SSID: eduroam Localisation –Eduroam-around-the-corner –Maps –Local pages Expansion –Integration with commercial roaming services

22 High-quality Internet for higher education and research AAI Integration: offload AuthZ? European Server.nl SURFnet.nl Access Point luis@FCCN.pt A-Select.ac.uk….pt FCCN.pt Shibboleth FCCN user database How do all these applications communicate? (SAML!)

23 High-quality Internet for higher education and research Conclusions

24 High-quality Internet for higher education and research Conclusions 802.1X plus RADIUS provide a secure and future proof solution for access to the network for local users Joining eduroam gives the benefit of instant access for (academic) guest users Infra stucture not perfect but… –It works ™ –It is ready for the future Joining eduroam is a small step for administrator-kind but a giant leap for the users, so…..

25 High-quality Internet for higher education and research Time to join…..

26 High-quality Internet for higher education and research Coming back… What is a federation? Is eduroam a federation? Is it a service? Is it a brand?

27 High-quality Internet for higher education and research Federations Federations enable the sharing of resources A federation is constituted by a set of agreements between peers In a federation agreement there should be a common language Federations can be part of bigger federations Federations can cooperate with other federations: confederations eduroam currently IS a (single-resource) federation, but may in the near future become a service OF the federation

28 High-quality Internet for higher education and research Slightly less authorative source Merriam-Webster: an association of persons, parties, or states for mutual assistance and protection

29 High-quality Internet for higher education and research More information eduroam in SURFnet –http://www.eduroam.nlhttp://www.eduroam.nl eduroam in Europe –http://www.eduroam.org TERENA TF-Mobility –http://www.terena.nl/mobilityhttp://www.terena.nl/mobility Géant2 Joint Research Activity 5 (authorisation and roaming) –http://www.geant2.net/server/show/nav.758http://www.geant2.net/server/show/nav.758 The unofficial IEEE802.11 security page –http://www.drizzle.com/~aboba/IEEE

Download ppt "High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005"

Similar presentations

Authentication.

Authentication.
Joining eduroam Wireless Roaming for Education and Research.

Joining eduroam Wireless Roaming for Education and Research.
RadSec – A better RADIUS protocol

RadSec – A better RADIUS protocol
Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,

Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,
Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,

Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,
Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June 22 2005 Licia Florio.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
Eduroam-ng TF-Mobility, Barcelona, 6 September 2005.

Eduroam-ng TF-Mobility, Barcelona, 6 September 2005.
High-quality Internet for higher education and research 5 th of April, Eurocamp, Ljubljana eduroam, security and authentication Paul Dekkers.

High-quality Internet for higher education and research 5 th of April, Eurocamp, Ljubljana eduroam, security and authentication Paul Dekkers.
Why eduroam sucks, and how to fix it.

Why eduroam sucks, and how to fix it.
Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.

Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.
TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.
10 October 2003 Internet2 members meeting 1 An update on the work of JANET Wireless Advisory Group & The Terena Mobility Taskforce James Sankar UKERNA.

10 October 2003 Internet2 members meeting 1 An update on the work of JANET Wireless Advisory Group & The Terena Mobility Taskforce James Sankar UKERNA.
Www.ja.net/roaming Copyright JNT Association 2006 The JANET Roaming Service.

Copyright JNT Association 2006 The JANET Roaming Service.
TAC - Poznan, 6 June 2005 Building trust with a European style Diego R. Lopez RedIRIS.

TAC - Poznan, 6 June 2005 Building trust with a European style Diego R. Lopez RedIRIS.
EduRoam ESA workshop 17 December 2004 Utrecht.

EduRoam ESA workshop 17 December 2004 Utrecht.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Network Access and 802.1X Klaas Wierenga SURFnet

Network Access and 802.1X Klaas Wierenga SURFnet
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

Similar presentations

Ads by Google